Brex
WarnAudited by ClawScan on May 10, 2026.
Overview
The Brex skill is a coherent integration, but it gives an agent broad financial-account powers such as creating transfers and deleting vendors without clear scope or confirmation limits in the provided instructions.
Install only if you trust Membrane with Brex access and are comfortable letting an agent interact with sensitive financial data. Use least-privilege credentials, confirm every create/update/delete/transfer action explicitly, consider pinning the CLI version, and revoke the Brex/Membrane connection when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong action or parameters, it could alter Brex business records or initiate financial workflows such as transfers.
The skill exposes a generic action runner for Brex actions, including destructive and financial-transfer actions, but the provided visible instructions do not require explicit user confirmation or bounded execution for those high-impact operations.
| Delete Vendor | delete-vendor | Deletes a vendor by ID. | ... | Create Transfer | create-transfer | Creates a new transfer. | ... membrane action run <actionId> --connectionId=CONNECTION_ID --json
Require explicit user confirmation for every create, update, delete, card, vendor, budget, expense, or transfer action; prefer read-only use unless the user clearly authorizes a specific mutation.
Installing and using the skill may give the agent persistent access to sensitive Brex account data and actions under the connected user's permissions.
The skill relies on delegated Brex access through Membrane with automatic credential refresh, but the provided artifact does not show least-privilege scopes, token lifetime, or revocation guidance.
Membrane handles authentication and credentials refresh automatically ... membrane connection ensure "https://brex.com" --json
Use a least-privilege Brex/Membrane connection, review granted scopes carefully, and revoke the connection when it is no longer needed.
Your Brex data and authorization flow depend on Membrane's service boundary and security practices.
Membrane is a disclosed intermediary for Brex authentication and actions, so sensitive financial data and credentials may pass through or be managed by that provider.
This skill uses the Membrane CLI to interact with Brex. Membrane handles authentication and credentials refresh automatically
Use this only if you trust Membrane for Brex access, and review Membrane's data handling and account security settings.
Future CLI versions could behave differently from the version reviewed here.
The setup uses a global npm install with the moving @latest tag. This is central to the skill's purpose, but it means the installed code can change over time and is not pinned by the skill artifact.
npm install -g @membranehq/cli@latest
Install from a trusted source and consider pinning a reviewed Membrane CLI version.
A remote response could influence how the agent proceeds during connection setup.
The skill tells the agent that remote connection responses may include agent-facing instructions. That can be useful for setup, but such instructions should not override the user's request or higher-priority safety rules.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat provider-returned instructions as untrusted task data and confirm any sensitive or mutating action with the user.